Full Report
Managed OAuth for Cloudflare Access helps AI agents securely navigate internal applications. By adopting RFC 9728, agents can authenticate on behalf of users without using insecure service accounts.
Analysis Summary
# Best Practices: Managed OAuth for AI Agent Access
## Overview
These practices address the security gap created when AI agents attempt to access internal applications protected by Zero Trust barriers. Instead of using insecure, long-lived service accounts or static tokens, Managed OAuth utilizes modern identity standards (RFC 9728) to allow agents to authenticate on behalf of specific users, maintaining the principle of least privilege and Zero Trust visibility.
## Key Recommendations
### Immediate Actions
1. **Enable Managed OAuth:** Activate the "Managed OAuth" toggle within the Cloudflare Access dashboard for existing internal applications.
2. **Retire Hardcoded Tokens:** Identify agents currently using static service tokens or hardcoded JWTs and prepare them for the shift to dynamic authentication.
3. **Enable Markdown for Agents:** Parallel to OAuth, enable "Markdown for Agents" on internal sites (like wikis) to ensure agents can interpret the content once authenticated.
### Short-term Improvements (1-3 months)
1. **Standardize Agent Discovery:** Ensure all internal AI tools are configured to look for the `.well-known/oauth-authorization-server` endpoint for service discovery.
2. **Implement PKCE:** Tighten security by ensuring agent-driven flows utilize Proof Key for Code Exchange (PKCE - RFC 7636) to prevent authorization code injection.
3. **Audit Agent Permissions:** Review Access policies to ensure agents acting "on behalf of" users are subject to the same device posture and identity requirements as the users themselves.
### Long-term Strategy (3+ months)
1. **Zero-Service-Account Architecture:** Transition toward a "human-in-the-loop" delegation model where no agent has autonomous access to sensitive data without a delegated user session.
2. **Cross-Organization Identity Bridging:** Utilize the Organizations beta to manage and bridge identities across different Cloudflare accounts for partner or subsidiary agent access.
## Implementation Guidance
### For Small Organizations
- Focus on using the Cloudflare Access free tier to protect legacy apps.
- Use Managed OAuth to gain "one-click" compatibility for internal tools without writing custom authentication logic.
### For Medium Organizations
- Implement a centralized registry of approved AI agents.
- Require all agents to use Dynamic Client Registration (RFC 7591) to ensure the security team can track which agents are accessing which applications.
### For Large Enterprises
- Integrate Managed OAuth with Model Context Protocol (MCP) server portals to manage access to diverse data sources.
- Use Mass Upgrading techniques to wrap legacy "long-tail" internal software behind Access, making them agent-ready without modifying original source code.
## Configuration Examples
### Protocol Standards Supported
- **Discovery:** `GET https://[your-domain]/.well-known/oauth-authorization-server`
- **Dynamic Registration:** RFC 7591 support for agents to identify themselves to the authorization server.
- **Header Implementation:**
http
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="Cloudflare Access",
authorization_uri="https://[auth-domain]/cdn-cgi/access/tokens"
## Compliance Alignment
- **NIST SP 800-207 (Zero Trust Architecture):** Aligns with the core principle that no user or agent is trusted by default; every request must be authenticated.
- **RFC 9728:** Compliance with the latest standards for OAuth 2.0 authorization server metadata.
- **RFC 7636 (PKCE):** High-security standard for preventing interception of authorization codes in public clients/agents.
## Common Pitfalls to Avoid
- **Use of Insecure Service Accounts:** Avoid creating "Shadow Identities" for agents that bypass MFA or SSO.
- **Ignoring Scopes:** Ensure agents are only granted the specific scopes needed for the task, rather than full user-level administrative access.
- **Lack of Revocation Patterns:** Ensure that when a user’s session is terminated, the delegated agent token is also invalidated.
## Resources
- **Cloudflare Access Documentation:** hxxps://developers[.]cloudflare[.]com/cloudflare-one/access-controls/
- **RFC 9728 (OAuth Metadata):** hxxps://datatracker[.]ietf[.]org/doc/html/rfc9728
- **Model Context Protocol (MCP):** hxxps://modelcontextprotocol[.]io
- **Cloudflare Zero Trust Dashboard:** hxxps://dash[.]cloudflare[.]com/